Microsoft Unveils Privacy Control Feature for IE 9

Microsoft on Tuesday announced an upcoming privacy feature for its Internet Explorer 9 Web browser.

The new "tracking protection" feature will give users potential control over online behavioral advertising, which monitors what users click on and view at Web sites. Behavioral advertising is often enabled via third-party elements on Web pages, such as display ads or Web beacons (invisible one-pixel images). Visitors to a Web site may not be aware that their behavior on that site is being tracked by a third party, and they don't know how that information is used.

The privacy afforded by this new feature won't be automatic. IE 9 users will have to opt into so-called "tracking protection lists" to get that control established. This tracking protection feature will be turned off by default in IE 9, so users will have to activate it first. Microsoft plans to roll out the tracking protection feature when it makes the release candidate version of IE 9 available in "early 2011," according to Dean Hachamovitch, vice president of Internet Explorer, in a press conference held on Tuesday. IE 9 is currently available as beta test version. The release candidate is typically Microsoft's last test version before final product release.

The tracking protection lists for IE 9 can be created by anyone and the effect of the lists will persist across Web sites and browser sessions. In addition, the lists automatically update, according to Hachamovitch. That auto-update capability may mean that users won't have to seek new updates as Web advertising content changes. However, that idea remains to be seen in practice. It's also not clear how IE 9 users will be aware that their lists have been updated.

Microsoft officials said that the tracking protection lists will be available over the Web and they will work on the client side of the browser. How consumers will be able to find those lists wasn't made clear during Microsoft's press conference.

Technically speaking, tracking protection lists are XML files that contain URLs of acceptable and nonacceptable Web sites. IE 9 users will be able to subscribe to them like RSS feeds. These lists not only indicate what sites cannot share user information, they also let users specify acceptable Web sites for information sharing.

Microsoft's tracking protection concept is "more than just blocking cookies," according to Hachamovitch, in a Q&A session with the press. The feature has its roots in "in-private filtering," which is a similar third-party blocking technology that was introduced in IE 8. The other main security feature introduced with IE 8 is "in-private browsing," which eliminates the site-visit trail that would otherwise be automatically stored in the browser's history. In response to a question, Hachamovitch said that Microsoft did not make in-private browsing the default configuration in IE because "consumers want to get back to the sites they visit."

Hachamovitch was also asked about Adobe's so-called "Flash cookies," or "local shared objects" in Adobe's parlance, which aren't supposed to be used for tracking users. Flash cookies have been described as a threat to browser security that is hard to circumvent. The U.S. Federal Trade Commission (FTC) has even opened an inquiry to investigate the security implications of Flash cookies, according to an account published in December by PaidContent.org. In response to the question, Hachamovitch simply said that Microsoft's tracking protection feature operated separately from blocking Adobe Flash cookies.

The cookie control feature in Internet Explorer depends on selecting overall security settings in the browser. Microsoft describes how that works in this blog.

Microsoft has been working with the FTC, which has been exploring a "do not track" concept as a new framework for Web privacy, as described in a December FTC publication, "Protecting Consumer Privacy in an Era of Rapid Change" (PDF download). The do-not-track idea is similar to the "do not call" list that the FTC advocated for phone service customers, with the aim of thinning out unwanted marketing phone calls.

It's not clear that Microsoft is wholly going along with the FTC's idea. Hachamovitch states in a blog post that "'Do Not Track' itself is misnomer in that tracking is an inherent part of many experiences on the web (e.g. a shopping site showing me other items I've browsed to) and off (e.g. a credit card company calling you to confirm what it considers to be suspicious activity)."

Microsoft is also working on privacy issues associated with the Web in Europe. Jean-Phillippe Courtois, president of Microsoft International, noted that the European Commission has just published its Data Protection Directive Communication document, which may lead to updated regulations on online privacy. In a speech (transcript) given before the Europe Data Protection Congress last month, Courtois noted that Microsoft has a strong reason to get online privacy right -- namely, its big financial stake in getting users to trust the Internet cloud.

"Ninety percent of our 40,000 software developers are building for the cloud today," Courtois said. "We have built massive data centers around the world, such as the $500M data center we opened in Dublin, Ireland. But none of these investments will succeed unless our customers are confident that our cloud services will respect -- and protect -- the privacy of their data."

Courtois also noted that although Kinect for the Microsoft Xbox 360 game controller uses facial and body recognition technology, Microsoft took pains to ensure that some privacy safeguards were in place. "For instance, no one sees the facial recognition information that Kinect uses to identify you and to associate you with your avatar," he said.

Microsoft, in devising privacy controls, is also in the advertising business with Bing. The company is still trying to make a dent in the business of No. 1 search ad company Google, which raked in $7.3 billion in revenue in its third quarter, which ended on Sept. 30, 2010. Rik van der Kooi, corporate vice president for Microsoft's Advertiser and Publisher Solutions Group, explained that the new tracking protection feature in IE 9 will help advertising be more relevant on the Web.

"We believe that the convergence of new privacy tools and robust advertising growth can, in fact, co-exist and we are uniquely positioned to provide thought leadership in both areas," van der Kooi explained in a blog post.

In any case, Microsoft appears to be putting the controls for online privacy somewhat into the hands of consumers. That's a potentially good thing if it works, according to IDC analyst Al Hilwa.

"Microsoft is finally seeing the light that it's a very competitive browser space," Hilwa said in a phone interview. "Advertisers are not the ones that should call the shots. They have a responsibility to provide some privacy to users. Proof of the pudding is in the details of how they actually implement that so we'll see how that evolves."